foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nginx_site: Prefix all variables with role name

Browse source
This commit is contained in:
Timo Makinen 2023-10-13 17:14:14 +00:00
parent 15c612cb3b
commit 2119f96382
9 changed files with 103 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

26
roles/nginx_site/tasks/main.yml
View file

@ -1,47 +1,47 @@
---
- name: "Create site data directory for {{ site }}"
- name: "Create site data directory for {{ nginx_site_name }}"
ansible.builtin.file:
path: "/srv/web/{{ site }}"
path: "/srv/web/{{ nginx_site_name }}"
state: directory
mode: "0755"
owner: root
group: "{{ ansible_wheel }}"
when: redirect is not defined and proxy is not defined
when: nginx_site_redirect is not defined and nginx_site_proxy is not defined
- name: "Create site config for {{ site }}"
- name: "Create site config for {{ nginx_site_name }}"
ansible.builtin.template:
dest: /etc/nginx/conf.d/{{ site }}.conf
dest: /etc/nginx/conf.d/{{ nginx_site_name }}.conf
src: site.conf.j2
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
notify: Restart nginx
- name: "Copy site private key for {{ site }}"
- name: "Copy site private key for {{ nginx_site_name }}"
ansible.builtin.copy:
dest: "{{ tls_private }}/{{ site }}.key"
dest: "{{ tls_private }}/{{ nginx_site_name }}.key"
src: "{{ item }}"
mode: "0600"
owner: root
group: "{{ ansible_wheel }}"
with_first_found:
- "/srv/letsencrypt/live/{{ site }}/privkey.pem"
- "/srv/ca/private/{{ site }}.key"
- "/srv/letsencrypt/live/{{ nginx_site_name }}/privkey.pem"
- "/srv/ca/private/{{ nginx_site_name }}.key"
- "/srv/ca/private/{{ inventory_hostname }}.key"
tags: certificates
notify: Restart nginx
- name: "Copy site certificate for {{ site }}"
- name: "Copy site certificate for {{ nginx_site_name }}"
ansible.builtin.copy:
src: "{{ item }}"
dest: "{{ tls_certs }}/{{ site }}-fullchain.crt"
dest: "{{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt"
mode: "0644"
owner: root
group: "{{ ansible_wheel }}"
validate: /usr/bin/openssl x509 -in %s -noout
with_first_found:
- "/srv/letsencrypt/live/{{ site }}/fullchain.pem"
- "/srv/ca/certs/hosts/{{ site }}.crt"
- "/srv/letsencrypt/live/{{ nginx_site_name }}/fullchain.pem"
- "/srv/ca/certs/hosts/{{ nginx_site_name }}.crt"
- "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
tags: certificates
notify: Restart nginx

44
roles/nginx_site/templates/site.conf.j2
View file

@ -1,6 +1,6 @@
{% if proxy is defined and proxy is not string %}
upstream {{ site }} {
{% for item in proxy %}
{% if nginx_site_proxy is defined and nginx_site_proxy is not string %}
upstream {{ nginx_site_name }} {
{% for item in nginx_site_proxy %}
{% set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %}
{% if item | regex_search(".*:[0-9]+$") %}
server {{ item }};
@ -13,52 +13,52 @@ upstream {{ site }} {
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site }};
server_name {{ nginx_site_name }};
access_log {{ nginx_logdir }}/{{ site }}.access.log combined;
error_log {{ nginx_logdir }}/{{ site }}.error.log warn;
access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined;
error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn;
add_header Strict-Transport-Security "max-age=63072000" always;
{% if ssl_config is defined %}
{% if ssl_config == "old" %}
{% if nginx_site_ssl_config is defined %}
{% if nginx_site_ssl_config == "old" %}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
{% endif %}
{% endif %}
ssl_certificate {{ tls_certs }}/{{ site }}-fullchain.crt;
ssl_certificate_key {{ tls_private }}/{{ site }}.key;
ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt;
ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key;
{% include "./{}.conf.j2".format(site) ignore missing %}
{% if redirect is defined %}
return 301 {{ redirect }};
{% elif proxy is defined %}
{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %}
{% if nginx_site_redirect is defined %}
return 301 {{ nginx_site_redirect }};
{% elif nginx_site_proxy is defined %}
location / {
{% if proxy is not string %}
{% set path = proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %}
{% if nginx_site_proxy is not string %}
{% set path = nginx_site_proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %}
# https://trac.nginx.org/nginx/ticket/1307
proxy_ssl_verify off;
proxy_pass https://{{ site }}{{ path }};
proxy_pass https://{{ nginx_site_name }}{{ path }};
{% else %}
proxy_pass {{ proxy }};
proxy_pass {{ nginx_site_proxy }};
{% endif %}
}
{% else %}
root /srv/web/{{ site }};
root /srv/web/{{ nginx_site_name }};
{% endif %}
}
server {
listen 80;
listen [::]:80;
server_name {{ site }};
server_name {{ nginx_site_name }};
location /.well-known/acme-challenge/ {
proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
}
location / {
{% if redirect is defined %}
return 301 {{ redirect }};
{% if nginx_site_redirect is defined %}
return 301 {{ nginx_site_redirect }};
{% else %}
return 301 https://$host$request_uri;
{% endif %}